Microsoft disrupts the Zeus infrastructure

Over the weekend and this morning, Microsoft, working in conjunction with others, issued civil lawsuits to sinkhole numerous domains associated with the Zeus botnet. When I say “botnet”, I use the term loosely because Zeus is not a botnet in the sense that Rustock or Waledac is (or was). Rather, Zeus is a tool kit that online criminals can buy that lets them create phishing pages, perform fast fluxing, host drive-by downloads in addition to spamming. It’s more like infrastructure than a botnet, although it does have a large botnet under its control.

SEATTLE — Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.

With a warrant in hand from a federal judge authorizing the sweep, the Microsoft lawyers and technical personnel gathered evidence and deactivated Web servers ostensibly used by criminals in a scheme to infect computers and steal personal data. At the same time, Microsoft seized control of hundreds of Web addresses that it says were used as part of the same scheme. …

On Friday, Microsoft was attacking its most complex target yet, known as the Zeus botnets. The creators of Zeus offer their botnet code for sale to others and, depending on the level of customer support and customization of the code that clients require, charge them $700 to $15,000 for the software, Microsoft said in a lawsuit filed in federal court in Brooklyn on March 19.

That, in turn, has resulted in many variants of Zeus botnets, making them harder to combat. Most of them are aimed at perpetrating various financial scams against online victims. Mr. Boscovich of Microsoft said he had a “high degree of confidence” that the unnamed culprits behind Zeus were in Eastern Europe.

Because of the financial fraud involved, Microsoft rallied support from two financial industry associations — the Financial Services Information Sharing and Analysis Center and the National Automated Clearing House Association — which were were co-plaintiffs in the case and filed court declarations endorsing Microsoft’s sweep on Friday.

Similar to the Rustock takedown where Pfizer joined in the lawsuit, in this case the NACHA and FSISAC (see above for full acronym expansion) took part in the actions.

But not everyone thinks that Microsoft’s actions actually fix the problem:

Jose Nazario, a senior security researcher at Arbor Networks, an Internet security firm, said that Microsoft’s record against botnets had been a “mixed bag” and that some of its gains were only temporary. After an earlier action against a botnet known as Waledac, for example, the software behind it was modified slightly to create a new botnet.

“You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again,” Mr. Nazario said.

Of course, Microsoft doesn’t believe that this will be a permanent fix. Nobody within Microsoft thinks that sinkholing botnets fixes the problem of abuse. Microsoft even admits it in the article:

Mr. Boscovich said he did not think the Friday sweep would be as big a blow to Zeus as Microsoft’s previous actions against botnets, but he said it was just the beginning of actions aimed at raising the cost of doing business for the botnet’s masterminds. “The plan is to disrupt, disrupt, disrupt,” he said.

Disruption is a pretty good tactic if you can do it often enough. It causes the online criminals to constantly have to focus on architecture and making sure that their networks are robust and that takes up a lot of time (we have to do it all the time with our own network and it’s a pain-in-the-ass). If they’re always having to move their infrastructure somewhere else it means that they cannot focus on defrauding victims.

Unfortunately, disruption has its side effects. When you constantly disrupt spammers’ infrastructure, you end up creating a better spammer. They get more and more adept at evading detection and making sure that disruption is not as adverse as it was, say, when McColo was taken down three years ago. To be sure, service disruption hurts but it begins another cat-and-mouse game forcing each side to get better and better at detecting and evading detection.